2018-19 ANNUAL REPORT BY NRS AUDIT and RISK COMMITTEE 
1. Executive summary 


1.1 The Audit and Risk Committee (the Committee) of NRS completed its 
programme of work for 2018-19 and was satisfied that the range of 
assurances and evidence of effective internal controls, together with 
responses to strengthen internal controls, supplied to the Committee were 
sufficiently reliable to provide overall assurance and support to the 
Accountable officer and to the Management Board in their financial 
stewardship responsibilities. 


1.2 Sources of assurance considered by the Committee during the year 
include reports from the external auditors, internal auditors, objective scrutiny 
of risk management systems, and internal controls reports received from 
management. 


1.3. The Committee was satisfied with the quality and relevance of the 
reports it received from both the external auditors and internal auditors. 


1.4 The Committee noted the “Limited Assurance” opinion received from 
internal audit which was a deterioration from the prior year “Reasonable 
Assurance” opinion. The committee noted the areas reviewed by internal audit 
during the year, the challenges associated with the Census programme and 
discussed with management areas of strength and opportunities for 
improvement in risk management and control. 


2. Purpose of the Committee 


2.1 |The Committee has been appointed to provide independent advice and 
support to the Accountable Officer of NRS in delivering their responsibilities 
for issues of risk, internal controls and governance. 


2.2 The Committee operates by providing robust constructive challenge 
and scrutiny to support the Accountable Officer, including reviewing the 
effectiveness of internal controls, risk management arrangements, financial 
information, and the integrity and independent audit of the Annual Report and 
Accounts. 


2.3 The Committee carries out a planned schedule of four meetings per 


year, in accordance with good practice, but may convene additional meetings 
if necessary. The quorum is a minimum of three Non-Executive members. 


3. Duties of the Committee 


3.1 The Committee will advise the NRS Chief Executive Officer, 
Accountable Officer and the NRS Strategic Board on: 


e the strategic processes for risk, control and governance and the 
governance statement; 


e the approval and signing of the annual report and accounts, including the 
process for review of the accounts prior to submission for audit, levels of 
error identified, and management's letter of representation to the 
external auditors; 

e the planned activity and results of both internal and external audit 
including reports, advice and findings from external audit on NRS 
financial statements in the annual report and accounts, in accordance 
with ISA 260; 

e the adequacy of management response to issues identified by audit 
activity, including external audit's management letter/report; 

e the effectiveness of the internal control environment; 

e the formulation of an effective three lines of defence assurance 
framework focussed on the organisation’s key risks ; 

e counter-fraud policies, whistle-blowing processes, and arrangements for 
special investigations. 


3.2 The Committee primarily utilises work of internal audit, external audit 
and other sources of assurance, but will not limit itself to these sources. It will 
also seek reports and assurances from NRS as appropriate, concentrating on 
the over-arching systems of governance, risk management and internal 
control, together with indicators of their effectiveness. 


3.3 The Committee can also recommend to the Accountable Officer issues 
of concern and/or opportunity it deems appropriate to bring to the attention of 
the NRS Strategic Board. 


4. Membership and meetings 
4.1 Membership of ARC during 2018-19 was: 


e Colin Ledlie, Committee chair and Non-Executive Director (profile) 
e Mandy Gallacher, Non-Executive Director (profile) 
e Bill Matthews, Non-Executive Director (profile) 


4.2 Other regular attenders were NRS Chief Executive, NRS Accountable 
Officer, NRS Head of Strategy and Planning, NRS Head of Business Portfolio, 
NRS Chief Finance Officer, External Auditors (Audit Scotland) and Internal 
Auditors (Scottish Government Internal Audit Division) 


5. External Audit (Audit Scotland) activities 


5.1 External audit provide a significant independent test of the financial 
integrity, effectiveness of internal controls and robustness of sources of 
assurance at NRS. The 2018-19 audit plan set out arrangements for the audit 
of 2018/19 financial statements , as well as consideration and review of the 
following dimensions: 


Financial management 
Financial sustainability 
Governance and transparency 
Value for money 


5.2 The main review activities carried out were: 


e an interim audit of the National Records of Scotland's main financial 
systems and governance arrangements. 

e an audit of the National Records of Scotland's 2018/19 annual report 
and accounts including the issue of an independent auditor's report. 

e areview of NRS’ arrangements in relation to the audit dimensions 
noted above. 


5.3 The Committee received regular progress reports from Audit Scotland 
against the audit plan which culminated in Audit Scotland’s 2018-19 Annual 
Audit Report which was considered on 5 September 2019. 


5.4 The Committee was pleased to record that Audit Scotland had 
determined that the financial statements of NRS for 2018/19 give a true and 
fair view of the state of the body's affairs and of its net expenditure for the 
year. The Committee also noted the recommendations raised in the report 
and the agreed actions with management. 


6. Internal Audit (Scottish Government Internal Audit 
Division) activities 


6.1 Internal Audit focus on key activities which are relevant to NRS’s 
business purpose and objectives and audits are designed to ensure an 
independent opinion on the adequacy of governance, risk management and 
internal control arrangements is provided. 


6.2 The 2018-19 audit plan comprised reviews of: 


e Census 2021 — Financial Management Arrangements 

e Workforce and Succession Planning 

e Estates Strategy — now to be considered as part of the 2019-20 
planning arrangements. 


and follow-up on the following reviews from 2017-18: 
e IT Security Events & GDPR Arrangements 
e Budget Management Arrangements 
e Census 2021: Risk Management Arrangements 


6.3 The Committee received regular progress reports from Internal Audit 
against the audit plan, considering recommendations made to NRS and the 
response to these including monitoring implementation of recommendations 
by NRS throughout the year. 


6.4 The Committee noted the “Limited Assurance” opinion received from 
internal audit which was a deterioration from the prior year “Reasonable 
Assurance” opinion. The Committee noted the areas reviewed by internal 
audit during the year, the challenges associated with the Census programme 
and discussed with management areas of strength and opportunities for 
improvement in risk management and control. 


7. | Budget Monitoring Activities 


7.1 The Committee regularly scrutinised budget-monitoring reports during 
the year, which reported projected outturns against the budgets approved by 
the Management Board and Scottish Government limits. 


8. Risk Management Activities 


8.1 The Committee regularly reviewed reports by management during the 
year on key strategic risks and operational risks. The Committee reviewed the 
effectiveness of risk management systems, internal controls and management 
systems. 


9. Effectiveness of the Committee 


9.1 |The Committee has been fortunate in having a wide range of 
experience amongst its members, which enables constructive challenge and 
effective scrutiny of financial issues, audit and risks. However, the Committee 
would benefit from additional members and an effective succession plan 
needs to be developed. The recruitment of additional members with skills in 
financial and programme management is being progressed in 2019. 


9.2 |The Committee annually reviews the effectiveness of its own 
operations, in line with good practice, using the “Audit Committee Self- 
Assessment Checklist” contained in the Scottish Government’s Audit 
Committee Handbook . 


